aboutcode/vulnerablecode

Weekly meetings here Monday at 10:00AM CET (European time)

Philippe Ombredanne

@pombredanne

@sbs2001 re:

time to review nexB/vulnerablecode#236 , it is based off nexB/vulnerablecode#231 which was just a refactor. nexB/vulnerablecode#236 has changed alot of things I think you should review it and ignore the old PR.

On my plate :+1:

Shivam Sandbhor

@sbs2001

forgot we had 2 license situations going on :) . I was asking about the JS and CSS one.

Shivam Sandbhor

@sbs2001

@pombredanne first draft of README is ready. Not sure this makes sense for a README , too long ?https://gist.github.com/sbs2001/5a2b9f54aa17c5a4725020635dd2642a ? And yes we will add a GIF in the header just below VulnerableCode :)

Shivam Sandbhor

@sbs2001

We would go scancode style here too, rst and separate SETUP

Shivam Sandbhor

@sbs2001

https://user-images.githubusercontent.com/28975399/89056138-2c8a8300-d379-11ea-882e-f28f38789cdc.png

1 reply

open the gif (technically its a png) in a new tab

it's live in the gist too

Shivam Sandbhor

@sbs2001

@copernico @inksong @edoardolanzini , I want to write an importer for NVD. IMHO it desirable to avoid collecting of vulnerabilities whose impact is limited to closed source software or hardware and avoid the fluff. We just want NVD for the reference urls and scores.

My approach is to classify the vulnerabilities into closed source and open source via looking for keywords in the references as well as cpes. For instance if I see 'apple' in a cpe I can safely ignore that vulnerability, or if I see 'apache' in a cpe I can collect the vulnerability.

What other approaches are available to do this classification ?

5 replies

Nitin Singhal

@nitin10s

@sbs2001 Those GIFs are great! Sorry for the late message, got stuck in wrapping up the GSoC second eval stuff. I see some minor fixes, will try to make a complete list by today/ Meanwhile, can you please tell me about the target audience for this platform?

1 reply

jinke

@inksong

@sbs2001 For the "summary" to "software" mapping that we discussed before, I found a solution. Would you like to implement it? https://github.com/pinkymm/inconsistency_detection

1 reply

Shivam Sandbhor

@sbs2001

@pombredanne should I include the updated readme in the UI PR or file a separate PR ?

Nitin Singhal

@nitin10s

Also, I am not able to understand the exact context of the platform such as what are packages.. I am currently testing it on the basis of generic UI design guidelines and patterns, pointing out the generic problems related to UX. If possible in future, I would love to understand the complete context of the application and contribute to enhancing the experience in a complete and holistic way.

For optimum readability, a few typography rules need to be followed:

The line-length should be ~60 characters.
The font-size should be decreased for such paragraphs.
Most of the design spans over the device-width, rather, there should be appropriate margins on the sides, .container class should be used [Bootstrap]

Nitin Singhal

@nitin10s

There is no feedback [error message] when the user tries to create an already created vulnerability.

The vulnerable code logo should redirect to home, and there shouldn't be any home tab

The website is not completely accessible through Keyboard. Nav-links like Documentation, Vulnerabilities, packages, Sign-up and Sign-in can't be accessed through keyboard tabbing

Appropriate titles need to be used on all the webpages.

Nitin Singhal

@nitin10s

Appropriate and equal margins should be used to make the platform aesthetically better.

The point applies to all such screens

Nitin Singhal

@nitin10s

When we search a vulnerability, the results HTML basically renders below the search HTML. Rather than this, a new results webpage should be created that includes a searchbar on top and the results. The problem with the current design is that the results basically go below the fold despite being the most important (required) page view. The significant space above the fold is taken by the previous search page unnecessarily. [Let me if this is unclear, I'll come up with a quick wireframe to explain]

Nitin Singhal

@nitin10s

After the user searches something, the search bar renders empty, whereas it should display the searched query in the value field so as to help users instantly remember what they searched for [Refer: Recognition is better than recall articles]

Again, no margins on sides make the design looks odd

When I try to update a package, the screen goes blank just after I click on Update button

Nitin Singhal

@nitin10s

I see the package is displayed in this form. So isn't it logical to even ask users to enter the fields in this order itself? The current order to ask fields is jumbled. Just a small observation

I don't know the use-cases exactly but here are some observations that might help:

We can't delete any of our created vulnerabilities and packages.
The same vulnerability can be added to the "Vulnerable To" as well as the "Safe To" section simultaneously.

When I click on "Remove" button a X magically appears on the top of the vulnerabilities. This is quite confusing and unnecessary, what we can do is omit the remove button and put an X over each vulnerability in a subtle way (and a large icon) so it is afforded as "delete" by the users

Nitin Singhal

@nitin10s

We are allowed to create an already existing Package (Not sure if this is how it was intended)

This is a hyperlink but is very difficult to perceive as the same. What you can do is add a text exclusively below saying: "To create a new vulnerability. Click Here" so that it can be easily understood. Also when a user clicks here and creates a new vulnerability, they should be redirected to the previous screen so they continue selecting their newly created vulnerability in the package.

Nitin Singhal

@nitin10s

Okay, that's almost all of it. This might be overwhelming xD but in case of any confusion regarding any of the above-mentioned points, I'd be more than happy to help clarify it

I can even come with some quick wireframes to help make the platform aesthetically better by the next week if you are willing to iterate. Otherwise, the aforementioned points about correcting the margins would be great as well.

cc: @pombredanne @sbs2001

Shivam Sandbhor

@sbs2001

Thanks @nitin10s I understand most of your points, and they make perfect sense.

As for

what are packages

This was expected, we use purl(the pkg:type:name strings) to represent packages, you can check https://github.com/package-url/purl-spec for more info.

We can't delete any of our created vulnerabilities and packages.

That's true, infact we can't delete any vulnerability and packages. What we can do instead is delete/create relations between them. I'm not so sure about adding the delete functionality.

The same vulnerability can be added to the "Vulnerable To" as well as the "Safe To" section simultaneously.

This has a long story with it. You won't be able to do it once nexB/vulnerablecode#239 gets merged. That being said we should have a way of telling the user that they messed up.

Other than that I'm off to implementing your suggested changes for now and would ask for extra clarification if required. Thanks again for the detailed review, I really appreciate this.

Shivam Sandbhor

@sbs2001

@nitin10s are you cool with the X button as it is now ?

So instead of clicking the remove button, we can have the X button already present, as you suggested. This would avoid confusion and offers a good flow when multiple vulnerabilities are to be removed, right ?

Shivam Sandbhor

@sbs2001

When I try to update a package, the screen goes blank just after I click on Update button

Good catch, fixed

Nitin Singhal

@nitin10s

No make it a little bigger in size [button height = text height] and keep it horizontally aligned with the text

Shivam Sandbhor

@sbs2001

does the margin look fine for the whole red-green container ?

Shivam Sandbhor

@sbs2001

@nitin10s what do you think of centering the add button in red container ?

Shivam Sandbhor

@sbs2001

The same vulnerability can be added to the "Vulnerable To" as well as the "Safe To" section simultaneously.

Fixed

Nitin Singhal

@nitin10s

@nitin10s what do you think of centering the add button in red container ?

No, it should be in the left for fast accessibility. We just need some margins, I'll make a quick wireframe explaining how the margins should be kept

Shivam Sandbhor

@sbs2001

anybody has an idea what refsource is supposed to mean in NVD's json feeds

n [22]: xc['CVE_Items'][0]['cve']['references']                                                                      
Out[22]: 
{'reference_data': [{'url': 'https://source.android.com/security/bulletin/2020-01-01',
   'name': 'https://source.android.com/security/bulletin/2020-01-01',
   'refsource': 'CONFIRM',
   'tags': ['Vendor Advisory']}]}

Shivam Sandbhor

@sbs2001

In [27]: rsc = set()                                                                                                  

In [28]: for it in  xc['CVE_Items']: 
    ...:     for ref in it['cve']['references']['reference_data']: 
    ...:         rsc.add(ref['refsource']) 
    ...:                                                                                                              

In [29]: rsc                                                                                                          
Out[29]: 
{'BUGTRAQ',
 'CERT',
 'CERT-VN',
 'CISCO',
 'CONFIRM',
 'DEBIAN',
 'EXPLOIT-DB',
 'FEDORA',
 'FREEBSD',
 'FULLDISC',
 'GENTOO',
 'HP',
 'IBM',
 'JVN',
 'MISC',
 'MLIST',
 'N/A',
 'REDHAT',
 'SUSE',
 'UBUNTU',
 'XF',
 'https://www.tenable.com/cve/CVE-2020-5756',
 'https://www.tenable.com/cve/CVE-2020-5757',
 'https://www.tenable.com/cve/CVE-2020-5758',
 'https://www.tenable.com/cve/CVE-2020-5759'}

Ok so it is what it is, the source of reference, but what is CONFIRM supposed to mean

Nitin Singhal

@nitin10s

Where communities thrive

People

Repo info

Activity